Search code examples
asp.netsqlparameterized-query

basics of parameterized query

  1. I have used parameterized query number of times I know it helps in preventing SQL injection. But, I was wondering if I can know what is basic logic working inside a parameterized query to prevent SQL injection may be it is very simple but I don't know about it. I tried to search google what are the basic of it but every time I found an example that how to use parameterized query in Asp.net.
  2. I know about making a special class which stops those special characters like (',-- etc) which are used in SQL injection, but does stopping only special characters totally prevent SQL injection?
  3. And one last thing does .net parameterized query can fully stop SQL injection?
Solution

  • I think parametrized queries are not dependent on prepared queries database support. Database driver itself passing values the safe way, and how is it done depends on driver itself.

    The PostgreSQL manual explains basics about parametrized queries on database level.

    On the other hand, parametrized queries simplifies you passing locale sensitive data. For example, user enters 100,00 decimal, but your server expects 100.00 value.